Static Application Security Testing (SAST) is an analysis technique for analyzing program code to detect potential problems within the source code. That is, SAST performs such analysis without actually executing (running) the source code. Potential problems with the code can include, for example, potentially insecure dataflows that can endanger either the security of safety of the program. However, static analysis tools (e.g., SAST tools) often over approximate the number of potential insecurities in a program, thus, resulting in many reported findings that are neither security nor safety relevant (e.g., false positives). In general, this leads to the need for complex and dynamic security policies as well as a significant increase in the costs for manual system audits.
In some examples, the inevitable presence of false positives require resources (e.g., processing, memory) to be expended on analysis the results to determine whether a finding reported by the SAST needs to be attended to (e.g., fixed). If a finding requires attention, further resources are expended to attend to the underlying issue. Besides the resource intensive efforts to review the results, a highly skilled expert is also required, which significantly increases the costs SAST analysis.